CVE-2024-5452 — CRITICAL (CVSS 9.8) AI Security Vulnerability

CISO Take

Any self-hosted pytorch-lightning application in default configuration is vulnerable to unauthenticated remote code execution — no credentials required, no user interaction needed. The delta endpoint is enabled by default, making internet-exposed ML training servers trivially exploitable by anyone with network access. Patch to lightning >= 2.3.3 immediately; if patching is blocked, restrict or disable the delta endpoint and isolate the host from untrusted networks.

Risk Assessment

Extremely high risk. CVSS 9.8 with no authentication, no user interaction, and low attack complexity means any network-reachable pytorch-lightning instance is a critical exposure. EPSS of 0.567 signals ~57% probability of exploitation in the wild within 30 days — treat this as actively exploited. ML training infrastructure is often trusted-network territory with inadequate hardening, and post-exploitation access to GPU servers, model weights, training data, and cloud credentials makes these high-value targets for IP theft, lateral movement, and cryptomining.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
pytorch_lightning	pip	—	No patch
99.6K OpenSSF 6.4 21.7K dependents Pushed 6d ago 8% patched ~142d to patch Full package profile →
lightning	pip	< 2.3.3	`2.3.3`

Severity & Risk

CVSS 3.1

9.8 / 10

EPSS

62.6%

chance of exploitation in 30 days

Higher than 98% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Moderate

Exploitation Confidence

medium

○ CISA SSVC: Public PoC

○ Public PoC indexed (trickest/cve)

○ EPSS exploit prediction: 63%

Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV Network

AC Low

PR None

UI None

S Unchanged

C High

I High

A High

Recommended Action

6 steps

PATCH

Upgrade to lightning >= 2.3.3 immediately (pip install 'lightning>=2.3.3').
INTERIM WORKAROUND

If patching is blocked, disable the delta endpoint in application configuration or block it at the reverse proxy/WAF layer before the patch is applied.
NETWORK ISOLATION

Ensure pytorch-lightning applications are never exposed to untrusted networks; enforce strict firewall rules limiting access to authorized IP ranges and require VPN for all ML platform access.
INVENTORY

Audit all lightning/pytorch-lightning installations across your environment using package scanners (pip list, Safety, Trivy, Grype, Syft) — pay special attention to CI/CD systems and shared ML platforms.
DETECTION

Monitor for anomalous child process spawning from Python/lightning processes; alert on unexpected outbound connections from ML training hosts; review delta endpoint access logs for suspicious payloads.
CREDENTIAL ROTATION

If any instance may have been exposed, treat the host as compromised — rotate all credentials, API keys, and cloud IAM tokens present on the system.

CISA SSVC Assessment

Decision Attend

Exploitation poc

Automatable Yes

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Code Execution Supply Chain Framework AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 15 - Accuracy, robustness and cybersecurity

ISO 42001

A.6.2 - AI system security and resilience

NIST AI RMF

MANAGE 2.2 - Mechanisms are in place to identify and address risks from third-party AI software and services

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2024-5452?

Any self-hosted pytorch-lightning application in default configuration is vulnerable to unauthenticated remote code execution — no credentials required, no user interaction needed. The delta endpoint is enabled by default, making internet-exposed ML training servers trivially exploitable by anyone with network access. Patch to lightning >= 2.3.3 immediately; if patching is blocked, restrict or disable the delta endpoint and isolate the host from untrusted networks.

Is CVE-2024-5452 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2024-5452, increasing the risk of exploitation.

How to fix CVE-2024-5452?

1. PATCH: Upgrade to lightning >= 2.3.3 immediately (pip install 'lightning>=2.3.3'). 2. INTERIM WORKAROUND: If patching is blocked, disable the delta endpoint in application configuration or block it at the reverse proxy/WAF layer before the patch is applied. 3. NETWORK ISOLATION: Ensure pytorch-lightning applications are never exposed to untrusted networks; enforce strict firewall rules limiting access to authorized IP ranges and require VPN for all ML platform access. 4. INVENTORY: Audit all lightning/pytorch-lightning installations across your environment using package scanners (pip list, Safety, Trivy, Grype, Syft) — pay special attention to CI/CD systems and shared ML platforms. 5. DETECTION: Monitor for anomalous child process spawning from Python/lightning processes; alert on unexpected outbound connections from ML training hosts; review delta endpoint access logs for suspicious payloads. 6. CREDENTIAL ROTATION: If any instance may have been exposed, treat the host as compromised — rotate all credentials, API keys, and cloud IAM tokens present on the system.

What systems are affected by CVE-2024-5452?

This vulnerability affects the following AI/ML architecture patterns: ML training pipelines, model development environments, data science platforms, model serving.

What is the CVSS score for CVE-2024-5452?

CVE-2024-5452 has a CVSS v3.1 base score of 9.8 (CRITICAL). The EPSS exploitation probability is 62.62%.

Technical Details

NVD Description

A remote code execution (RCE) vulnerability exists in the lightning-ai/pytorch-lightning library version 2.2.1 due to improper handling of deserialized user input and mismanagement of dunder attributes by the `deepdiff` library. The library uses `deepdiff.Delta` objects to modify application state based on frontend actions. However, it is possible to bypass the intended restrictions on modifying dunder attributes, allowing an attacker to construct a serialized delta that passes the deserializer whitelist and contains dunder attributes. When processed, this can be exploited to access other modules, classes, and instances, leading to arbitrary attribute write and total RCE on any self-hosted pytorch-lightning application in its default configuration, as the delta endpoint is enabled by default.

Exploitation Scenario

An adversary scans for internet-exposed pytorch-lightning applications via Shodan or Censys targeting known default ports. Upon identifying a target running lightning < 2.3.3, they craft a malicious serialized deepdiff.Delta object that embeds dunder attribute modifications (e.g., __class__, __reduce__) bypassing the deserializer whitelist. The payload is submitted as a standard POST to the delta endpoint — no authentication required. When the server processes the delta, the dunder attributes pivot through Python's object model to import os or subprocess, executing an attacker-controlled command with the privileges of the lightning process. The attacker then exfiltrates model weights, training datasets, and cloud credentials from environment variables, or drops a persistent implant for ongoing access to the ML development environment. The entire chain requires no prior knowledge of the target beyond its network address.